feat: add QMD v2.1.0 as Nix package, bake into openclaw image

- packages/qmd: buildNpmPackage with Node.js 22 (not Bun) to avoid
  native module ABI issues with better-sqlite3 and sqlite-vec
- Vendored package-lock.json (QMD ships bun.lock, not npm lockfile)
- packages/openclaw-image: adds qmd + tsx to image contents
- packages/default.nix: rec attrset so openclaw-image can inherit qmd
- flake.nix: expose custom-qmd package output for CI caching

flake.nix

@@ -294,6 +294,7 @@
           "custom-tea-rbw" = pkgs.custom.tea-rbw;
           "custom-rclone-torbox-setup" = pkgs.custom.rclone-torbox-setup;
           "custom-opencode" = pkgs.custom.opencode;
+          "custom-qmd" = pkgs.custom.qmd;
 
           "qt-pinned-jellyfin-media-player" = pkgsQt.jellyfin-media-player;
           "qt-pinned-stremio" = pkgsQt.stremio;

packages/default.nix

@@ -1,5 +1,5 @@
 { pkgs, ... }:
-{
+rec {
   tea-rbw = pkgs.callPackage ./tea-rbw { };
   app-launcher-server = pkgs.callPackage ./app-launcher-server { };
   claude-code = pkgs.callPackage ./claude-code { };
@@ -8,5 +8,6 @@
   pi-coding-agent = pkgs.callPackage ./pi-coding-agent { };
   nextcloud-talk-desktop = pkgs.callPackage ./nextcloud-talk-desktop { };
   opencode = pkgs.callPackage ./opencode { };
-  openclaw-image = pkgs.callPackage ./openclaw-image { };
+  qmd = pkgs.callPackage ./qmd { };
+  openclaw-image = pkgs.callPackage ./openclaw-image { inherit qmd; };
 }

packages/openclaw-image/default.nix

@@ -1,6 +1,7 @@
 {
   pkgs,
   lib,
+  qmd,
 }:
 
 let
@@ -38,14 +39,14 @@ let
         ];
       }
       ''
-              mkdir -p $out/app
+        mkdir -p $out/app
 
-              # Extract all layers from the Docker image tarball
-              mkdir workdir
-              tar xf ${openclawBase} -C workdir
+        # Extract all layers from the Docker image tarball
+        mkdir workdir
+        tar xf ${openclawBase} -C workdir
 
-              # Python: parse manifest, generate shell script to extract /app from layers
-              python3 << 'PYEOF'
+        # Python: parse manifest, generate shell script to extract /app from layers
+        python3 << 'PYEOF'
         import json
 
         with open("workdir/manifest.json") as f:
@@ -71,14 +72,14 @@ let
         """)
         PYEOF
 
-              OUT_DIR="$out" sh extract.sh
+        OUT_DIR="$out" sh extract.sh
 
-              if [ ! -f "$out/app/openclaw.mjs" ]; then
-                echo "ERROR: /app/openclaw.mjs not found after extraction"
-                ls -la $out/app/ 2>/dev/null || true
-                exit 1
-              fi
-              echo "Successfully extracted openclaw app"
+        if [ ! -f "$out/app/openclaw.mjs" ]; then
+          echo "ERROR: /app/openclaw.mjs not found after extraction"
+          ls -la $out/app/ 2>/dev/null || true
+          exit 1
+        fi
+        echo "Successfully extracted openclaw app"
       '';
 
   # Python environment with pymupdf
@@ -87,20 +88,20 @@ let
   # Custom NSS files that include the "node" user (UID 1000, GID 1000).
   # fakeNss only creates root/nobody, so we create our own with all three.
   openclawNss = pkgs.runCommand "openclaw-nss" { } ''
-        mkdir -p $out/etc
-        cat > $out/etc/passwd << 'EOF'
+    mkdir -p $out/etc
+    cat > $out/etc/passwd << 'EOF'
     root:x:0:0:root user:/var/empty:/bin/sh
     nobody:x:65534:65534:nobody:/var/empty:/bin/sh
     node:x:1000:1000::/home/node:/bin/bash
     EOF
 
-        cat > $out/etc/group << 'EOF'
+    cat > $out/etc/group << 'EOF'
     root:x:0:
     nobody:x:65534:
     node:x:1000:
     EOF
 
-        cat > $out/etc/shadow << 'EOF'
+    cat > $out/etc/shadow << 'EOF'
     root:!x:::::::
     nobody:!x:::::::
     node:!x:::::::
@@ -172,14 +173,20 @@ pkgs.dockerTools.buildLayeredImage {
     pkgs.git
     pkgs.emacs
 
-    # Node.js 22+ (for openclaw runtime, QMD when packaged, matrix-bot-sdk)
+    # Node.js 22+ (for openclaw runtime, QMD, matrix-bot-sdk)
     pkgs.nodejs_22
 
+    # TypeScript runtime (for running TypeScript files directly, e.g. via nix run)
+    pkgs.tsx
+
     # Python with pymupdf (PDF-to-image for Claude vision)
     pythonEnv
 
     # Gitea CLI (PR workflow)
     pkgs.tea
+
+    # QMD — on-device hybrid search for markdown (built with Node.js 22, not Bun)
+    qmd
   ];
   # NOTE: openclawApp is NOT in contents. It would create /app as a symlink
   # to /nix/store/..., which breaks OpenClaw's symlink escape security check

packages/qmd/default.nix

@@ -0,0 +1,91 @@
+{
+  lib,
+  stdenv,
+  buildNpmPackage,
+  fetchFromGitHub,
+  nodejs_22,
+  python3,
+  sqlite,
+}:
+
+let
+  version = "2.1.0";
+
+in
+buildNpmPackage rec {
+  pname = "qmd";
+  inherit version;
+
+  src = fetchFromGitHub {
+    owner = "tobi";
+    repo = "qmd";
+    rev = "v${version}";
+    hash = "sha256-bqIVaNRTa8H5vrw3RwsD7QdtTa0xNvRuEVzlzE1hIBQ=";
+  };
+
+  # Vendored package-lock.json generated from QMD's package.json.
+  # QMD ships bun.lock/pnpm-lock.yaml but not package-lock.json.
+  # buildNpmPackage requires npm's lockfile format.
+  postPatch = ''
+    cp ${./package-lock.json} package-lock.json
+  '';
+
+  # Will be updated on first build attempt — nix will report the correct hash
+  npmDepsHash = "sha256-iBFj0C0BYLPtjOQqp5O/lRjeKTMMNoqHLtjGeERECpk=";
+
+  nodejs = nodejs_22;
+
+  nativeBuildInputs = [
+    nodejs
+    python3 # for node-gyp (better-sqlite3, sqlite-vec)
+  ];
+
+  buildInputs = [
+    sqlite # for sqlite extension loading at runtime
+  ];
+
+  # npm rebuild compiles native addons (better-sqlite3, sqlite-vec) against Node 22's V8
+  npmRebuildFlags = [ "--build-from-source" ];
+
+  # Don't run npm run prepare (it tries to install git hooks)
+  npmPruneFlags = [ "--omit=dev" ];
+
+  buildPhase = ''
+    runHook preBuild
+    npm run build
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/lib/qmd $out/bin
+
+    # Copy compiled output, node_modules, and config
+    cp -r dist node_modules $out/lib/qmd/
+    cp package.json $out/lib/qmd/
+
+    # Create wrapper that runs the compiled CLI with Node.js 22
+    # Sets LD_LIBRARY_PATH for sqlite-vec extension loading
+    cat > $out/bin/qmd << EOF
+    #!/bin/sh
+    export LD_LIBRARY_PATH="${sqlite.out}/lib''${LD_LIBRARY_PATH:+:}\$LD_LIBRARY_PATH"
+    exec ${nodejs}/bin/node $out/lib/qmd/dist/cli/qmd.js "\$@"
+    EOF
+    chmod +x $out/bin/qmd
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Query Markup Documents — on-device hybrid search for markdown files";
+    longDescription = ''
+      QMD combines BM25 full-text search, vector semantic search, and LLM re-ranking.
+      This build uses Node.js 22 (instead of Bun) to avoid native module ABI issues
+      with better-sqlite3 and sqlite-vec.
+    '';
+    homepage = "https://github.com/tobi/qmd";
+    license = licenses.mit;
+    platforms = platforms.linux;
+    mainProgram = "qmd";
+  };
+}